Reproduction permitted for personal use only. For reprints and reprint permission, contact firstname.lastname@example.org.
Update: Microsoft has promised an official fix on January 10, following its normal "patch Tuesday" schedule. Microsoft and Gartner have both cautioned users about the unofficial patch, both because of its outsider status and because it will have to be uninstalled when the official patch is installed. Of course, anyone whose system is being affected has no other recourse until January 10.
As Windows users wait to see when Microsoft will release an official patch for a dangerous Windows vulnerability, security experts are taking the unusual position of urging people to install an unofficial patch before the situation spins out of control.
Because of a bug in the way Windows handles images, viewing any image on a Windows machine could cause a malicious program to be installed and run. This could come from a Web page, through the MSN Messenger instant-messaging client, or through opening a picture attachment to an e-mail. And because the flaw is in a core part of Windows, even users of Firefox or other browsers are not completely protected from infected images on the Web.
Many vulnerabilities are patched before they are actually exploited, but not this one. Several real examples of malicious programs have been spotted "in the wild" by security companies. These programs download hacking tools onto the computer of anyone who views an infected image, and have been found to work on fully patched, up-to-date Windows XP systems. The images are also bypassing anti-virus software.The unofficial patch is available here. (Linked site was available on publication but has been experiencing significant downtime.)
It was developed by Ilfak Guilfanov, a programmer who also created IDA Pro, a tool for designing and taking apart software.
Despite its unofficial nature, which may lead corporate IT departments to avoid the patch, SANS Institute
security pro Tom Liston said in a recent online statement
that SANS had carefully examined the patch, and "it does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective."
Microsoft normally releases its official patches on the second Tuesday of each month. Unless the company takes an unusual step this time, which it has not yet announced, an official fix may not be available until January 10.